nanog mailing list archives

Re: DNS DoS ???

From: Stefan Fouant <sfouant () shortestpathfirst net>
Date: Fri, 29 Jul 2011 15:02:51 -0400

Ping me offline, there are a few other folks who have seen this as well.  The isc.org record is commonly used in 
reflection attacks because the size of the record is so large, so the amplification factor is greatly increased.  Can 
you check to see if +edns=0 was set in the query?  That would be a sure sign this is related to what others have seen...

Sorry for the top post, I'm on my iPad.

Stefan Fouant
JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant

Sent from my iPad

On Jul 29, 2011, at 2:51 PM, Elliot Finley <efinley.lists () gmail com> wrote:

my DNS servers were getting slow so I blocked recursive queries for
all but my own network.

Then I was getting so many of these:

ns2 named[5056]: client 78.159.111.190#25345: query (cache)
'isc.org/ANY/IN' denied

that is was still slowing things down.  I've since written a script to
watch the log and throw these into the box local firewall.  If I
expire the entries after 24 hours then I accumulate about 10200 unique
IPs.  If I expire after 48 hours, then it's just over 20000 unique
IPs.

Is anyone else seeing this?

Elliot

Current thread:

DNS DoS ??? Elliot Finley (Jul 29)
- Re: DNS DoS ??? Stefan Fouant (Jul 29)
- Re: DNS DoS ??? Thomas York (Jul 29)
- RE: DNS DoS ??? Drew Weaver (Jul 29)
  - RE: DNS DoS ??? Blake T. Pfankuch (Jul 29)
- Re: DNS DoS ??? Dobbins, Roland (Jul 29)
  - RE: DNS DoS ??? Drew Weaver (Jul 30)
    - RE: DNS DoS ??? Jon Lewis (Jul 30)
    - RE: DNS DoS ??? Alex Nderitu (Jul 30)
    - Re: DNS DoS ??? John Adams (Jul 30)
    - Re: DNS DoS ??? Mike Sabbota (Jul 30)
    - Re: DNS DoS ??? Jimmy Hess (Jul 30)

(Thread continues...)